CPRA Exemptions Explained: A Business-Friendly Guide for 2025

Navigating the California Privacy Rights Act (CPRA) can feel a bit like assembling flat-pack furniture without the instructions. Just when you think you’ve got a handle on consumer rights and data deletion, you stumble over terms like B2B communications and GLBA exemptions. This guide cuts through the legal complexity, explains what each CPRA exemption means, when it applies, and importantly, what you still need to do even when you’re exempt. It’s crafted for professionals navigating compliance across HR, finance, health care, B2B, SaaS, and beyond.

The California Privacy Rights Act (CPRA) is an amendment to the California Consumer Privacy Act (CCPA). 

It enhances consumer rights and places stricter rules on how businesses collect, use, and share personal information.

The law covers:

• Sensitive personal information, including minors’ data collection, biometric data, or social security numbers.
  
• Consumer rights (such as access, correction, and deletion)
  
• Responsibilities for service providers, contractors, and third parties

CPRA exemptions identify data types, entities, and scenarios where certain provisions of the law do not apply.

Some exemptions cover all of CPRA. Others are section-specific, meaning you’re only off the hook for certain rights like access or deletion.

Understanding these nuances is critical to avoid non-compliance while avoiding over-compliance (yes, that’s a thing).

Now let’s get into the details.

CPRA exemptions can reduce your compliance obligations, but they rarely remove them entirely. Let’s break some of them down by category and purpose.

#1 Conduct wholly outside California

According to Section 1798.145(a)(G), if your data collection, processing, and storage occur entirely outside California, you may be exempt from CPRA under strict definitions.

This means:

• The data must have been collected while the consumer was physically outside of California.
  
• The sale or sharing of personal information must also occur entirely outside of California.
  
• The data must not include any personal information collected when the consumer was inside California.

For example, if a consumer travels outside California and your business collects data about them at that point, and that data is never used, sold, or shared while they are in California, your conduct may fall outside the CPRA scope.

However, this exemption does not apply if personal data was initially stored on a consumer’s device while in California—even if later accessed when they’re outside the state.

#2 De-identified, aggregated and publicly available data

CPRA’s purpose is to protect Californians’ personal data/information and to empower consumers with rights over their data. 

Personal information refers to any data that directly or indirectly identifies or can be linked to a specific individual or household, including identifiers, contact details, online activity, biometric data, geolocation, professional and educational information, and insights derived to profile a person’s preferences or behavior.

CPRA Section 1798.145(a)(F) exempts CPRA’s application to de-identified or aggregated data, provided businesses:

• Can’t reasonably reidentify the information.
• Publicly commit to maintaining its deidentified status.

It also doesn’t apply to publicly available information, such as information in press releases.

#3 Data covered by other laws

The CPRA recognises that certain data types are already governed by other regulations. Here are some of them:​

Healthcare and HIPAA-covered data

Data covered under the Health Insurance Portability and Accountability Act (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) are generally exempt from CPRA provisions. 

Clinical trial data under the Common Rule, FDA regulations, or ICH guidelines are also exempt. 

Therefore, hospitals, clinics, and health apps already complying with HIPAA may not need to duplicate efforts for CPRA.

Financial data

Information regulated by the Gramm-Leach-Bliley Act (GLBA) is also exempt.​ GLBA regulates financial institutions, and CPRA wisely steps aside. Data like credit scores or loan histories collected by banks, insurers, or fintechs falls under GLBA’s purview, not CPRA.

Credit information

Data subject to the Fair Credit Reporting Act (FCRA), such as credit reports or background checks, falls outside the CPRA’s scope. Credit agencies needn’t entertain CPRA deletion requests for data used to assess creditworthiness.

#4 Employment-related data (Exemption expired)

Under the CCPA, employment-related data were exempted from data protection. However, the CPRA has brought significant changes.

Since January 2023, the CPRA has extended data privacy rights to employees, job applicants, and independent contractors. This means businesses must provide privacy notices, honour consumer privacy rights, and ensure data protection measures are in place for employment-related personal information.

Similarly, exemptions for B2B communications also expired on January 1, 2023. Now, personal information exchanged in B2B contexts, including business emails, may be subject to CPRA provisions.

#5 Non-profit organisations

Non-profits get a free pass (mostly). If your organisation is classified under 501(c)(3), such as those involved in animal welfare or arts promotion, it is generally exempt from CPRA requirements.

However, CPRA applies if they meet certain thresholds through their interactions with for-profit entities, such as through common branding. 

#6 Law enforcement and criminal investigations

Businesses need not comply with their obligations under CPRA if the personal data is:

• Requested via subpoena or court order for civil, criminal, or regulatory investigations.
  
• Needed to comply with federal, state or local laws or a law enforcement directive (e.g., police agency instructing a business to retain data pending a warrant).
  
• Used to cooperate with law enforcement when there’s a good-faith belief that the activity may violate laws.
  
• Required for exercising or defending legal claims

The law also requires businesses to cooperate with the investigation agencies if it is believed that they have violated any laws.

Businesses may receive data access or disclosure requests from law enforcement. In such cases, as long as the request is pursuant to a valid legal process, the CPRA’s obligations (like consumer access, deletion, or opt-out rights) do not apply to that specific data use.

However, businesses must:

• Document the request carefully and ensure it’s legally valid
  
• Avoid using the disclosed data for unrelated purposes
  
• Resume CPRA compliance for the data once it is no longer being used for the criminal investigation
  

#7 Emergency situations involving danger to life or safety

A government agency may access personal data without consent if a natural person is at risk of death or serious injury, provided all the following conditions are met:

• The request is approved by a senior agency officer
  
• The agency believes in good faith that it has the legal basis to access the information
  
• The agency petitions the court within 3 days and agrees that it will destroy the data if the court doesn’t grant access.

#8 Vehicle & vessel warranty repairs

Businesses don’t have to follow CPRA opt-out rules (Section 1798.120) if they’re sharing vehicle or vessel information between a dealer and manufacturer, only to carry out or prepare for a warranty repair or recall and not for marketing or resale.

What kind of data is covered?

• Ownership information (name + contact)
  
• Vehicle information (VIN, make, model, year, odometer)
  
• Vessel information (hull ID, model, engine type)

Note that this exemption only applies if the shared information is used solely for repair or recall purposes, not for ads, upselling, or other uses.

#9 Student grades and education assessments

If you’re a business processing school-related testing or grade data, and a student asks to delete or access that information, you may not have to fulfil that request if:

• The student is still enrolled at the school
  
• The information is part of formal educational records or standardised assessments
  
• Disclosing answers would compromise the integrity of the test

However, you must inform the consumer that you’re not complying because of this exemption.

For example, imagine you’re a SaaS platform providing online exams for school districts. If a parent requests deletion of their child’s test results mid-year, you don’t have to comply, as long as:

• The school still uses that data
  
• Deletion would interfere with school records or future test accuracy

#10 Use of personal information for physical items

If a consumer has given consent for their personal information to be used to create a physical item, such as a printed school yearbook featuring their photo, the business is not obligated to fulfill deletion or opt-out requests under §1798.105 (Right to Deletion) or §1798.120 (Right to Opt-Out of Sale/Sharing) in the following circumstances:

1. The business has spent significant money relying on the person’s consent
   
2. Deleting the data would not be commercially reasonable
   
3. The data is being used only for that physical product

While exemptions exist, they are not absolute:​

• Partial exemptions: Some data may be exempt from certain provisions but still subject to others.​ For example, CPRA only exempts personal data covered by the GLBA, meaning it applies to any data not included under that law.
  
• Compliance with other laws: Even if data is exempt under the CPRA, businesses must ensure compliance with other applicable laws and regulations.​
  
• Consumer rights: Exemptions do not negate all consumer rights. For instance, consumers may still have the right to know about data collection practices and to opt out of certain data uses.

• Map your data: Determine what categories of personal information you collect, use, and share. Consider whether the data you collect is already regulated by other laws, such as Personal Health Information (PHI) under HIPAA and financial data under GLBA.

• Check regulatory overlaps: If you’re already complying with HIPAA, FCRA, or GLBA, you might be exempt from specific data types. However, you may still comply with CPRA for activities that are not covered under the federal law (e.g., cookie consent).

• Consult legal counsel: Engage with legal experts to ensure accurate interpretation and application of exemptions.

• Prepare for non-exempt scenarios: Exemptions don’t cover everything. Ensure that you can handle consumer requests for non-exempt data.

If your business crossed any of the following thresholds in the previous year, and no exemptions apply, you must prepare for CPRA compliance.

• More than $25 M+ as annual revenue
• Processed 100,000+ consumers’ data
• Derived 50% + revenue from selling/sharing personal data

This means you must be equipped for:

• Honouring consumer requests, such as deletion and correction requests.
• Providing opt-out links for consumers (Do not sell/share my information)
• Disclosing data collection purposes.
• Limiting the use of sensitive personal information.

Modern compliance isn’t just about policies—it’s about having the right technology partners. Tools like the CookieYes Consent Management Platform and Privacy Policy Generators help businesses automate privacy workflows and meet obligations under laws like the CPRA, GDPR, and more.